Top Privacy Trends for Organizations in 2023

Top Privacy Trends for Organizations in 2023
As we head into 2023, privacy trends continue to be a critical issue for businesses across all industries. Organizations need to stay up-to-date with the latest developments in privacy laws and regulations to ensure they are adequately protecting their customers' and employees' personal information.

In this guide, we'll explore some of the top privacy trends for 2023 and what organizations can do to stay compliant.

State Consumer Privacy Laws

One of the most significant privacy trends of 2023 is the emergence of comprehensive state consumer privacy laws. California, Virginia, Colorado, Connecticut, and Utah are among the five states that have enacted these laws, which require businesses to be more transparent about how they collect, store, and use consumer data.

The California Privacy Rights Act (CPRA) and the Virginia Consumer Data Protection Act (VCDPA) have already gone into effect as of January 1, 2023. However, regulations related to artificial intelligence (AI), cybersecurity audits, or privacy risk assessments are not yet included. Additionally, the CPRA is the only law that currently applies to employment and business-to-business information.

Colorado is the only other state to issue regulations related to its consumer privacy law. The Colorado Attorney General recently issued proposed regulations on the Consumer Privacy Act (CPA) and will begin holding stakeholder sessions in 2023. Organizations subject to these laws should assess how they will affect their overall privacy program.

Many other states are also considering adopting comprehensive consumer privacy laws, so organizations must continually adapt their data privacy programs. Specifically, organizations must map out what personal data they use, how they collect it, who has access to it, and where it is stored. They should also review privacy policies and related notices to ensure they disclose the necessary information to consumers, employees, and business-to-business contacts. Because the laws are in flux, organizations should also monitor developments in state legislatures and other applicable global jurisdictions.

Regulations Related to AI and Automated Processing

In 2023, organizations will be subject to new AI and automated processing-related obligations under four new state consumer privacy laws. While organizations subject to the General Data Protection Regulation (GDPR) are likely familiar with the law's requirements related to AI and automated processing, the regulatory landscape in the U.S. remains uncertain.

New consumer privacy laws in California, Colorado, Connecticut, and Virginia have AI/automated processing-related requirements, such as impact assessments on high-risk processing and opt-out rights. However, questions remain on how states will address consumer harms and right to delete requests, and what type of information organizations should provide to consumers related to automated processing.

Over the course of the year, organizations that use AI or automated processing technology should be mindful that new requirements are likely to emerge as California's rulemaking process is in progress, and Colorado has issued proposed regulations.

Children's Privacy

The government continues to focus on protecting children's privacy. California recently enacted the California Age-Appropriate Design Code Act (CAADCA), which takes effect on July 1, 2024. The CAADCA aims to protect the wellbeing, data, and privacy of children using online platforms.

On the federal level, the Federal Trade Commission (FTC) continues to aggressively enforce the Children's Online Privacy Protection Act (COPPA) by issuing hefty fines. Companies with online services directed to children or that have reason to know that children under the age of 13 use their services should ensure compliance with COPPA and state laws.

EU-U.S. Data Privacy Framework

The EU and the U.S. agreed on a data transfer regime last year, and the EU recently issued its draft adequacy decision on the EU-U.S. Data Privacy Framework (DPF). The draft adequacy decision, if adopted, establishes that the U.S. offers appropriate safeguards to EU consumers and ensures an adequate level of protection for personal data transferred from the EU to organizations in the U.S.

Although the DPF has been praised by EU and U.S. officials, EU regulators are already planning a challenge as they believe it falls short of the level of protection required by the GDPR. Organizations that transfer data between the EU and the U.S. should monitor developments in this area closely.

Escalated Enforcement Actions and Litigation

2022 marked the first enforcement of the California Consumer Privacy Act (CCPA), and the expectation is that both domestic and international regulators will be increasing their efforts to identify and bring enforcement actions against entities they perceive as violating data privacy and security laws.

At the same time, the EU Advocate General provided guidance that data subjects are not automatically owed compensation for technical violations of the GDPR without material or non-material damage, and instead can only be compensated for actual harm. This may reduce private claims under the GDPR.

Cybersecurity Programs and Incident Response Plans

Cybersecurity remains a top priority for organizations as cyberattacks, including ransomware and cyber extortion, continue to increase year-over-year. According to the Verizon Data Breach Investigation Report, ransomware attacks increased 13% last year and will likely increase in 2023.

Organizations should proactively monitor risks and update their cybersecurity programs and incident response plans to defend against and efficiently respond to cyberattacks. There are several new proposed laws on the horizon for this year, such as the New York Department of Financial Services (NYDFS) cybersecurity regulation, the Securities and Exchange Commission (SEC) cybersecurity disclosure requirements for public companies, and the Cybersecurity Incident Reporting for Critical Infrastructure Act (CISA) that could come into effect.

State Data Breach Notification Laws

State data breach notification laws are continually evolving with new and different requirements. Organizations must make it a priority to monitor these changes to understand their obligations in the event of a data breach and update their incident response plans accordingly.

To learn more about state data breach notification laws and developments, please access Foley's state data breach notification chart here.

How Organizations Can Adapt to These Privacy Trends

As we have seen, the privacy landscape is continually evolving, and organizations must stay up-to-date with the latest privacy trends and regulations to protect their customers' and employees' personal information effectively.

Some steps that organizations can take to adapt to these privacy trends include:

  1. Conducting a comprehensive audit of personal data
  2. Updating privacy policies and notices
  3. Implementing data protection and security measures
  4. Creating a data breach response plan
  5. Monitoring privacy trends and regulations

By staying up-to-date with the latest privacy trends and regulations, organizations can protect their customers' and employees' personal information effectively and avoid costly fines and legal action.

Remember, protecting personal information is crucial in today's digital age. Ensure that your organization is taking the necessary steps to stay compliant and protect the privacy of your customers and employees.

Post a Comment

Post a Comment (0)

Previous Post Next Post